oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType

From: Eric Covener <covener () apache org>
Date: Wed, 17 Jul 2024 18:23:15 +0000
Severity: important

Affected versions:

- Apache HTTP Server 2.4.60 through 2.4.61

Description:

A partial fix forĀ  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type 
based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are 
requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead 
of interpreted.

Users are recommended to upgrade to version 2.4.62, which fixes this issue.

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-40725

Timeline:

2024-07-09: reported
Previous By Date Next
Previous By Thread Next

Current thread: